_explained / gazelle-perl-http-smuggling-vulnerability-security-flaw
HIGH PLAIN ENGLISH 5 min read

A Hidden Flaw in Perl's Gazelle Web Server Lets Attackers Slip Invisible Requests Past Security

A high-severity bug in the Gazelle web server lets attackers smuggle hidden HTTP requests past firewalls and proxies. Here's what's at risk and what to do now.

2026-05-06 · Read technical analysis →
💬
PLAIN ENGLISH EDITION

This article is written for general audiences — no security background needed. For the full technical analysis with CVE details, affected versions, and code-level breakdown, visit Intel Reports.

Every request you send to a website running vulnerable versions of Gazelle could be intercepted, poisoned, or hijacked — and neither you nor the server would ever know it happened.

Who's at Risk — and How Many People

Gazelle is a high-performance web server framework for Perl, widely used in production environments where speed and concurrency matter — think internal enterprise applications, APIs, and legacy-adjacent systems that still run Perl stacks. Gazelle's download numbers on CPAN, Perl's central package repository, number in the tens of thousands. Every application running Gazelle version 0.49 or earlier is currently vulnerable.

If your organization runs a Perl-based web application behind a reverse proxy — something like Nginx, HAProxy, or a cloud load balancer sitting in front of your app server — you are directly in the blast radius of CVE-2026-40562. The vulnerability carries a CVSS score of 7.5 (HIGH), and while no active exploitation has been confirmed yet, the attack class it belongs to has a well-documented history of being weaponized quickly once a specific target is identified.

What's Actually Happening Here — No Jargon

Imagine a busy post office where two workers sort packages. One worker reads the label on the outside of the box. The other reads a slip of paper stuffed inside. Normally they agree. But what if someone mailed a package where the outside label said "small parcel" and the inside slip said "large freight"? Chaos ensues — packages get misrouted, mixed up, or delivered to the wrong address entirely. That's essentially what's happening here, except the "packages" are HTTP requests, and the "wrong address" could be another user's private session data or your application's admin panel.

When your browser talks to a web server, it sends instructions along with its request explaining how big that request is. There are two competing ways to communicate this size: one called Content-Length (a simple byte count) and one called Transfer-Encoding: chunked (a method of sending data in labeled pieces). Security standards are very clear that when both show up together, chunked encoding wins — full stop. Gazelle's flaw is that it does the opposite: it listens to Content-Length and ignores chunked encoding. That disagreement between the front-end proxy (which follows the correct rule) and Gazelle (which doesn't) creates a gap. An attacker crafts a specially malformed request that exploits this gap, effectively hiding a second, malicious request inside the first — invisible to your firewall, but fully executed by your server.

The consequences are serious and varied. An attacker who successfully smuggles a request can bypass authentication checks, poison web caches to serve malicious content to other users, steal session cookies from people who had nothing to do with the attack, and in some configurations escalate to full server-side request forgery. This isn't theoretical: HTTP request smuggling has been used in real-world attacks against major platforms including Outlook Web Access and several large e-commerce sites in the past five years.

The Technical Detail Security Researchers Need to Know

The root cause is a header precedence inversion in Gazelle's HTTP/1.1 request parser. RFC 7230, Section 3.3.3 explicitly mandates that Transfer-Encoding must take precedence over Content-Length when both headers appear in the same request. Gazelle through version 0.49 inverts this priority, resolving the ambiguity in favor of Content-Length. This creates a classic CL.TE desync condition — the front-end proxy (which correctly handles chunked encoding) and Gazelle disagree on where one HTTP request ends and the next begins, enabling request smuggling into the back-end processing pipeline.

CVE-2026-40562 | CVSS 7.5 (HIGH) | Vulnerability class: HTTP Request Smuggling (CL.TE) | Affected: Gazelle ≤ 0.49 for Perl | Platform: Cross-platform

Discovery, Exploitation Status, and Known Campaigns

As of publication, no active exploitation of CVE-2026-40562 has been confirmed in the wild, and no specific threat actor campaigns have been attributed to this vulnerability. However, security teams would be unwise to treat "not yet exploited" as "safe to defer." The HTTP request smuggling attack class is extremely well understood by offensive researchers — tools like PortSwigger's HTTP Request Smuggler extension can automate discovery and exploitation of exactly this type of flaw. The gap between public disclosure and active exploitation for high-impact web vulnerabilities has shrunk dramatically in recent years, often measured in days rather than months.

The vulnerability was catalogued under the tags http-request-smuggling, header-precedence, transfer-encoding, and content-length. Attribution for original discovery has not been publicly confirmed at the time of writing. Organizations running Gazelle in environments where a reverse proxy fronts the application should treat this as a priority remediation item regardless of the current exploitation status.

What You Should Do Right Now

Whether you're a developer, a sysadmin, or a security engineer, here are three concrete steps — in order of priority:

  1. Upgrade Gazelle immediately. Check your application's cpanfile, Makefile.PL, or META.json for the Gazelle dependency. Any version at or below 0.49 is vulnerable. Update to the latest patched release via CPAN: run cpanm Gazelle or cpan install Gazelle and verify the installed version is higher than 0.49. Pin the version in your dependency manifest and redeploy.
  2. Enforce strict request parsing at your reverse proxy. Configure Nginx, HAProxy, or your cloud load balancer to reject or normalize any HTTP request that contains both a Content-Length and a Transfer-Encoding header simultaneously. In Nginx, ensure you're running version 1.21.1 or later where improved smuggling protections are active. For HAProxy, set option http-server-close and review your tune.http.maxhdr settings. This adds a defensive layer even before traffic reaches your Perl application.
  3. Audit your request logs for anomalous patterns now. Search your access logs for requests that contain both Content-Length and Transfer-Encoding headers — a combination that should be rare in legitimate traffic. Tools like grep on raw access logs or a WAF query can surface this quickly. If you find hits predating this advisory, treat them as a potential incident and investigate further. Going forward, add alerting on this header combination in your WAF or SIEM.

CVE-2026-40562 affects Gazelle for Perl through version 0.49. CVSS score: 7.5 (HIGH). No active exploitation confirmed at time of publication. This article will be updated as new information becomes available.

// TOPICS
#http-request-smuggling#header-precedence#transfer-encoding#content-length#perl-gazelle
// WANT MORE DETAIL?

The technical analysis covers the exact vulnerability mechanism, affected code paths, attack chain, detection methods, and full remediation guide.

Read technical analysis →
Share on X → Get weekly digest →
// TOOLS WE RECOMMEND
NordVPN →

Encrypt your traffic against the threats we explain here.
NordPass →

Stop credential theft. Password manager from Nord Security.
Saily eSIM →

Travel privately. eSIM data for 150+ countries, 10% off.

Affiliate links — commission earned at no cost to you.